Is Google Tag Manager GDPR Compliant? (What It Really Depends On)

Is Google Tag Manager GDPR compliant? GTM itself sets no tracking cookies, but the tags it fires do. Here is what the law requires and the 6-step fix.


by Billal Hossain • 1 July 2026


Google Tag Manager does not set tracking cookies or collect visitor personal data on its own. That makes it neither compliant nor non-compliant by default. Your configuration decides: a GTM container that fires non-essential tags before consent is given is the actual GDPR problem, not GTM itself.

This page explains what GTM does and does not do and why a misconfigured container creates real legal risk. It also covers what the 2025 German court ruling means for EU sites, and the six steps that make a GTM setup GDPR compliant.

Is Google Tag Manager GDPR Compliant? The Short Answer

GTM is a tag container. By default it sets no tracking cookies and collects no visitor personal data, so it is not inherently compliant or non-compliant.

Compliance is decided by configuration. Non-essential tags loaded by GTM, such as Google Analytics, Google Ads, or Meta Pixel, set cookies and collect personal data. When those tags fire before the visitor consents, the site breaks the GDPR and ePrivacy Directive prior-consent rule. The fix is gating every non-essential tag behind a consent check and implementing Google Consent Mode v2 for Google's own tags.

Does Google Tag Manager Set Cookies or Collect Personal Data?

Google Tag Manager does not set tracking or analytics cookies on its own. Google's data privacy documentation confirms this directly. GTM "does not collect, retain, or share any information about visitors to our customers' properties."

One exception applies. GTM's Preview and Debug mode sets temporary first-party cookies for the signed-in administrator. Real visitors never encounter these cookies; they exist only during a developer's debugging session.

The distinction that matters is this:

  • GTM the container: delivers and manages tags. Sets no tracking cookies. Collects no visitor personal data by default.
  • The tags GTM fires: Google Analytics, Google Ads, Meta Pixel, and similar tools set cookies and collect personal data. These are what require consent.

Under GDPR Recital 30, internet protocol addresses are personal data. Cookies used to identify users are personal data. Both of those things happen when non-essential tags fire, which is why the tags GTM fires, not GTM itself, create the compliance obligation. (gdpr.eu/cookies)

Why GTM Becomes a GDPR Problem: Tags Firing Before Consent

The core failure in most GTM setups is order of execution. Non-essential tags fire the moment the page loads, so analytics and advertising cookies are set before the visitor has any chance to consent.

Under the GDPR and the ePrivacy Directive, consent must be obtained before using any cookies except strictly necessary ones. A cookie banner that loads after the tracking tags have already fired does not satisfy this rule. The consent UI appeared, but the data collection already happened.

I checked Google's own GTM support forum, where a website manager in Germany flagged exactly this failure. In GTM Preview mode the tracking tags fired even when no consent had been given. The pattern repeats on live production sites whenever no consent initialization trigger gates the tags. The most common version is a site that loads gtag.js the instant the page opens, with no consent prompt first.

A second factor compounds the problem. When a page loads with GTM installed, the browser makes an HTTP request to download gtm.js from Google's servers. That request transmits the visitor's IP address and device information to Google before any individual tracking tag fires. Google acknowledges that IP addresses appear in standard HTTP request logs. It says those logs are deleted within 14 days. The Hannover court (discussed next) found that the transmission itself, not the retention window, is the legal trigger.

This container-level request is why gating the tags is only half the fix. Sequencing your tags so they fire after consent stops the tags. It does not stop the gtm.js request that already sent the IP on load. Installing your consent banner as a GTM tag also creates a trap. The container cannot load to show the banner until consent exists, yet consent cannot exist until the banner shows. The clean fix is to load your consent layer before GTM (or move the container server-side), not inside it.

For sites running Google Analytics, that tag carries its own compliance considerations beyond what GTM adds.

What the German Court Ruling on GTM Means (Hannover, 2025)

In 2025, the Administrative Court of Hannover (Verwaltungsgericht Hannover) ruled that loading Google Tag Manager on a website requires the visitor's prior explicit consent. The court found that the container's initial load transmits the visitor's IP address and device data to Google before any individual tag fires. That transmission constitutes access to terminal equipment under TTDSG §25(1), the German implementation of the ePrivacy Directive. Legitimate interest was rejected as a legal basis.

The ruling has three practical implications for EU sites:

  1. GTM's container load itself requires consent, not only the tags it fires.
  2. Legitimate interest cannot justify loading GTM client-side before the user acts.
  3. Server-side GTM is a direct technical remedy. The browser contacts the site's own server, not Google's, so the raw client IP never reaches Google directly.

This is a German court ruling, not EU-wide law. The underlying logic still applies across the EU. TTDSG §25(1) mirrors the ePrivacy Directive Article 5(3), and similar rulings have followed in other member states on adjacent questions.

How to Make Google Tag Manager GDPR Compliant

Making GTM GDPR compliant means ensuring no non-essential tag fires until the visitor consents, and keeping a record of that consent. The steps below run in order.

  1. Audit every tag in your container. List each tag, identify what data it collects, and decide whether it is strictly necessary. Non-essential tags, including analytics, advertising, remarketing, and social pixels, require consent before they fire.
  1. Install a Consent Management Platform (CMP). A CMP shows the consent banner, captures the visitor's choice, and stores the consent record. It is what feeds the consent signal into GTM. The CMP must cover non-Google tags too, not only Google's tools. To make sure your tech stack is compliant beyond GTM, a CMP that auto-blocks scripts and iframes is the safest starting point. For sites on WordPress, check whether WordPress is GDPR compliant out of the box, since GTM is often installed there via a plugin.
  1. Gate tags with a Consent Initialization trigger. GTM includes a Consent Initialization trigger type that fires before all other triggers, including the standard Initialization trigger. Use it so consent state is established before any tag can fire. This fixes the order-of-execution problem for the tags. Load the consent layer itself before GTM, not as a tag inside it, so it can set the consent state without waiting on the container.
  1. Configure Google Consent Mode v2. Set all four consent signals to "denied" as the default state using setDefaultConsentState. The four signals are ad_storage, analytics_storage, ad_user_data, and ad_personalization. (Google Consent Mode documentation) When the visitor makes a choice, the CMP updates those signals with updateConsentState. As of March 6, 2024, Google requires Consent Mode v2 for all advertisers running campaigns in the EU, EEA, and UK under the Digital Markets Act. One important limit: Consent Mode v2 adjusts the behavior of Google's own tags only. Non-Google tags such as Meta Pixel are not blocked by Consent Mode and need separate tag-level consent conditions or a CMP with auto-blocking built in. For store owners, check whether Shopify is GDPR compliant separately, since the platform adds its own obligations beyond tag management.
  1. Sign Google's Data Processing Terms. Accept Google's Data Processing Terms to document the controller-processor relationship required under GDPR Article 28. Configure any available data settings, such as IP anonymization and region controls, inside Google's own tools as an additional layer.
  1. Consider server-side GTM. With server-side tagging, the browser sends its HTTP request to the site owner's own server container, not directly to Google's servers. Google's documentation confirms: "the browser's IP address is sent to your server, not to Google directly." (Google server-side tagging docs) This addresses the Hannover ruling's core concern. It removes the IP-on-container-load problem, but it does not remove the obligation to obtain consent for non-essential processing.

How Is GTM Different From Google Analytics and Consent Mode for GDPR?

These three tools are frequently confused. The table below resolves the distinction.

ToolWhat it isGDPR compliance status
Google Tag ManagerA tag container that deploys and manages code snippets on your siteNeither compliant nor non-compliant on its own; depends entirely on which tags fire and when
Google Analytics (GA4)A tag that collects visitor behavior data, including device data, pageviews, and eventsRequires consent before firing; sets analytics cookies that are personal data under GDPR Recital 30
Google Consent Mode v2A signaling layer that tells Google's own tags how to behave based on the visitor's consent stateNecessary for Google tags in the EU but not sufficient alone; does not block non-Google tags such as Meta Pixel, and does not replace a CMP and banner

None of the three is "GDPR compliant" on its own. Each depends on consent being correctly captured and respected. Consent Mode v2 adjusts how Google's own tags behave once consent is given or denied. It signals consent state, it does not enforce it. A CMP handles the enforcement by blocking tags until consent arrives.

How Consently Makes Google Tag Manager GDPR Compliant

Consently is a consent management platform that installs on your site and automatically enables Google Consent Mode v2. All four consent signals are set to denied by default.

Once installed, Consently handles the two layers that make GTM compliant. First, it sets the Consent Mode v2 defaults to denied for ad_storage, analytics_storage, ad_user_data, and ad_personalization without requiring any manual gtag('consent') code. When the visitor accepts or declines through the banner, Consently updates those signals automatically. Second, Consently's auto-blocking holds non-essential cookies, scripts, and iframes in place until consent is received. This covers non-Google tags like Meta Pixel that Consent Mode alone does not block.

Order of loading matters here. Consently is designed to load before your tracking tags, so consent state is set first. The recommended install places the Consently script in the page <head>, ahead of the GTM snippet. That also keeps the consent layer out of the container's chicken-and-egg trap. You can still run Consently through GTM with a Custom HTML tag. GTM sequencing then fires it first, which gates the tags inside the container.

Consently also logs every consent record with a timestamp and status, giving you the documented audit trail GDPR requires. Consent logs are exportable, and GDPR opt-in and US opt-out templates are built in.

To walk through the exact setup, see set up cookie consent in Google Tag Manager with Consently. Start free, no credit card required.

FAQs

Is Google Tag Manager GDPR compliant?

GTM is compliant only when configured to gate tags behind consent. By default it sets no tracking cookies, so it is neither compliant nor non-compliant on its own. The tags it fires decide the legal question.

Does Google Tag Manager require cookie consent?

GTM itself does not set cookies in production, but the tags it fires, such as Google Analytics and Meta Pixel, usually do. Those tags require consent before they run. A 2025 German court ruling went further. It found that loading the GTM container transmits the visitor's IP to Google on load, so the container itself requires prior consent under TTDSG §25(1).

Does GTM set cookies?

Not by default, except for a temporary first-party cookie in Preview and Debug mode used by the signed-in administrator. The cookies visitors encounter on your site come from the tags GTM deploys, not from GTM itself.

Can I use GTM before consent is given?

Running non-essential tags before consent is a GDPR violation. The Hannover court also found that loading the GTM container client-side before consent transmits the visitor's IP to Google, which itself requires prior consent. Server-side GTM or a properly configured consent initialization trigger addresses this.

Is Google Consent Mode v2 enough for GDPR?

Consent Mode v2 is necessary for Google tags in the EU and UK under the Digital Markets Act, but it is not sufficient alone. It signals consent state to Google's own tags, such as GA4 and Google Ads, and adjusts their behavior accordingly. It does not block non-Google tags like Meta Pixel or LinkedIn Insight Tag. A CMP with auto-blocking is needed to cover those, and a consent banner is still required to capture and record consent.

Do I need a cookie banner if I use Google Tag Manager?

Yes. GTM does not capture consent. You need a CMP and banner to show the consent choice to visitors, record their decision, and block non-essential tags until they accept. GTM manages where your tags fire; the CMP controls whether they should fire at all.

Is server-side GTM more GDPR compliant?

Server-side tagging removes the IP-on-container-load problem identified in the Hannover ruling. The browser contacts your own server rather than Google's, so Google never receives the raw client IP from the page load. Server-side GTM does not remove the obligation to obtain consent for non-essential data processing. It is a technical improvement that addresses a specific enforcement concern, not a full compliance solution on its own.

AUTHOR

Billal Hossain is a software engineer with hands-on experience building Consently from start to finish. His work gives him a practical understanding of consent management platforms, cookie consent, and how businesses can create more compliant, user-friendly websites.

Read More

Subscribe to Consently
Newsletter

Subscribe to our newsletter to stay updated with latest articles from our blog.

Built with ❤️ by the team @ Dorik.com 

GET IN TOUCH

Any questions? Feel free to chat with us or reach out to us at

For any queries:
support@consently.net

Follow us:


©2026 Dorik, Inc. All rights reserved.